Detection of Active Internet Worm Camouflaging Wormdoc

Detection of Active Internet Worm: Camouflaging Worm

Abstract:

Internet worms are truly autonomous virtual viruses, spreading across the net, breaking

into computers, and replicating without human assistance and usually without human

knowledge. When the network size will grow the existing framework will not be support to

reduce the infection of worm detection and give the QoS to the destination distributed system to

implement a technological constructs, with an intriguing mathematical structure and

complexity. They fascinate because they take the digital imitation of life to another step - they

autonomously search for computers, penetrate them, and replicate their intelligence to continue

the process. An active worm refers to a malicious software program that propagates itself on the

Internet to infect other computers. The propagation of the worm is based on exploiting

vulnerabilities of computers on the Internet. The camouflaging worm, also called C- Worm, is a

type of active internet worm. A C- Worm can intelligently manipulate its scan traffic volume

over time. Thus a C- Worm can camouflage its propagation form existing worm detection

systems based on analyzing the propagation traffic generated by worms. This paper presents a

method to detect C- Worms.

INTRODUCTION

An internet worm[1][2] is a program that spreads across the internet by replicating itself on

computers via their network connections. In the 1980s, researchers were seeking ways of

managing the growing internet remotely, using programs that could distribute themselves

automatically across it. In the US, on 2 November 1988, a Cornell University student called

Robert Morris released an experimental self-replicating program onto the internet to find out

how many computers were currently connected to it. The program spread rapidly, installing

itself on an estimated 10% of the computers then connected. Morris had no malicious intent, but

a bug in his program caused many of the computers the worm landed on to crash. He was

prosecuted and expelled from Cornell, but worms had come of age and have since evolved into

an effective way of attacking systems connected to the internet.

Most internet worms are now malicious. As well as using the computers they land on to

spread themselves further, they're designed to take control of them, either to steal confidential

user information or to convert them into remote-controlled 'zombies' or 'bots'. Worms often

infect computers by exploiting bugs in legitimate software. Typically, a high-profile, trusted

web page may be tampered with so it transmits (often invisibly) a carefully corrupted document

file to the user when the page is viewed. The corrupted file causes the viewer program to crash,

opening a door for the injection of a malicious program. To help hide the infection, the

malicious program is usually a 'downloader' - a very small program that later connects to a

remote computer over the internet to download a more substantial piece of malicious software.

Active worms pose major security threats to the Internet. An active worm refers to a malicious

software program that self-propagates in a network and infects hosts. Recently, active worms

such as “Code-Red” infected more than 350,000 Microsoft IIS servers and caused 1.2 billion

dollars of damage in less than 14 hours. Amongst the numerous forms of active worms, we

studied a particular worm called the Camouflaging Worm (C-Worm)[3][4]. The C-Worm has a

self-propagating behavior similar to traditional worms, i.e., it intends to rapidly infect as many

vulnerable computers as possible. However, the C- Worm is quite different from traditional

worms in which it camouflages any noticeable trends in the number of infected computers over

time. The camouflage is achieved by manipulating the scan traffic volume of worm-infected

computers. Such a manipulation of the scan traffic volume prevents exhibition of any

exponentially increasing trends or even crossing of thresholds that are tracked by existing

detection schemes. This paper presents a method to detect the camouflaging worms.

SYSTEM STUDY

FEASIBILITY STUDY

The feasibility of the project is analyzed in this phase and business proposal is put

forth with a very general plan for the project and some cost estimates. During system analysis

the feasibility study of the proposed system is to be carried out. This is to ensure that the

proposed system is not a burden to the company. For feasibility analysis, some understanding

of the major requirements for the system is essential.

Three key considerations involved in the feasibility analysis are

ECONOMICAL FEASIBILITY

TECHNICAL FEASIBILITY

SOCIAL FEASIBILITY

ECONOMICAL FEASIBILITY

This study is carried out to check the economic impact that the system will have on the

organization. The amount of fund that the company can pour into the research and development

of the system is limited. The expenditures must be justified. Thus the developed system as well

within the budget and this was achieved because most of the technologies used are freely

available. Only the customized products had to be purchased.

TECHNICAL FEASIBILITY

This study is carried out to check the technical feasibility, that is, the technical

requirements of the system. Any system developed must not have a high demand on the

available technical resources. This will lead to high demands on the available technical

resources. This will lead to high demands being placed on the client. The developed system

must have a modest requirement, as only minimal or null changes are required for implementing

this system.

SOCIAL FEASIBILITY

The aspect of study is to check the level of acceptance of the system by the user. This

includes the process of training the user to use the system efficiently. The user must not feel

threatened by the system, instead must accept it as a necessity. The level of acceptance by the

users solely depends on the methods that are employed to educate the user about the system and

to make him familiar with it. His level of confidence must be raised so that he is also able to

make some constructive criticism, which is welcomed, as he is the final user of the system.

SYSTEM ANALYSIS

Existing System

Internet worms are truly autonomous virtual viruses, spreading across the net, breaking

into computers, and replicating without human assistance and usually without human

knowledge. When the network size will grow the existing framework will not be support to

reduce the infection of worm detection and give the QoS to the destination distributed system to

implement a technological constructs, with an intriguing mathematical structure and

complexity. They fascinate because they take the digital imitation of life to another step - they

autonomously search for computers, penetrate them, and replicate their intelligence to continue

the process. An active worm refers to a malicious software program that propagates itself on the




over time.

Proposed System

An active worm refers to a malicious software program that propagates itself on the




over time. Thus a C- Worm can camouflage its propagation form existing worm detection

systems based on analyzing the propagation traffic generated by worms. This paper presents a

method to detect C- Worms.

SYSTEM DESIGN

Data Flow Diagram / Use Case Diagram / Flow Diagram

The DFD is also called as bubble chart. It is a simple graphical formalism that

can be used to represent a system in terms of the input data to the system, various processing

carried out on these data, and the output data is generated by the system.

UML DESIGN

Data Flow Diagram:

Activity Diagram:

UML Constructing:

UML models can be directly connected to a variety of programming languages and it is

sufficiently expressive and free from any ambiguity to permit the direct execution of models.

UML Documenting:

UML provides variety of documents in addition raw executable codes.

Figure 3.4 Modeling a System Architecture using views of UML

The use case view of a system encompasses the use cases that describe the behavior of the

system as seen by its end users, analysts, and testers.

The design view of a system encompasses the classes, interfaces, and collaborations that form

the vocabulary of the problem and its solution.

The process view of a system encompasses the threads and processes that form the system's

concurrency and synchronization mechanisms.

The implementation view of a system encompasses the components and files that are used to

assemble and release the physical system.The deployment view of a system encompasses the

nodes that form the system's hardware topology on which the system executes.

Uses of UML :

The UML is intended primarily for software intensive systems. It has been used

effectively for such domain as

Enterprise Information System

Banking and Financial Services

Telecommunications

Transportation

Defense/Aerosp

Retails

Medical Electronics

Scientific Fields

Distributed Web

Building blocks of UML:

The vocabulary of the UML encompasses 3 kinds of building blocks

Things

Relationships

Diagrams

Things:

Things are the data abstractions that are first class citizens in a model. Things are of 4 types

Structural Things, Behavioral Things ,Grouping Things, An notational Things

Relationships:

Relationships tie the things together. Relationships in the UML are

Dependency, Association, Generalization, Specialization

UML Diagrams:

A diagram is the graphical presentation of a set of elements, most often rendered as a connected

graph of vertices (things) and arcs (relationships).

There are two types of diagrams, they are:

Structural and Behavioral Diagrams

Structural Diagrams:-

The UML‘s four structural diagrams exist to visualize, specify, construct and document

the static aspects of a system. ican View the static parts of a system using one of the following

diagrams. Structural diagrams consists of Class Diagram, Object Diagram, Component

Diagram, Deployment Diagram.

Behavioral Diagrams :

The UML’s five behavioral diagrams are used to visualize, specify, construct, and

document the dynamic aspects of a system. The UML’s behavioral diagrams are roughly

organized around the major ways which can model the dynamics of a system.

Behavioral diagrams consists of

Use case Diagram, Sequence Diagram, Collaboration Diagram, State chart Diagram, Activity

Diagram

3.2.1 Use-Case diagram:

A use case is a set of scenarios that describing an interaction between a user and a

system. A use case diagram displays the relationship among actors and use cases. The two

main components of a use case diagram are use cases and actors.

An actor is represents a user or another system that will interact with the system you are

modeling. A use case is an external view of the system that represents some action the user

might perform in order to complete a task.

Contents:

Use cases

Actors

Dependency, Generalization, and association relationships

System boundary

user

worm detection

strat scan

infected files

detected files

detect worm

3.2.2 Class Diagram:

Class diagrams are widely used to describe the types of objects in a system and their

relationships. Class diagrams model class structure and contents using design elements such as

classes, packages and objects. Class diagrams describe three different perspectives when

designing a system, conceptual, specification, and implementation. These perspectives become

evident as the diagram is created and help solidify the design. Class diagrams are arguably the

most used UML diagram type. It is the main building block of any object oriented solution. It

shows the classes in a system, attributes and operations of each class and the relationship

between each class. In most modeling tools a class has three parts, name at the top, attributes in

the middle and operations or methods at the bottom. In large systems with many classes related

classes are grouped together to to create class diagrams. Different relationships between

diagrams are show by different types of Arrows. Below is a image of a class diagram. Follow

the link for more class diagram examples.

start c-Worm worm scan files

intected files

store log files

detect worm

worm detect status

UML Class Diagram with Relationships

equence Diagram

Sequence diagrams in UML shows how object interact with each other and the order those

interactions occur. It’s important to note that they show the interactions for a particular scenario.

The processes are represented vertically and interactions are show as arrows. This article

explains thepurpose and the basics of Sequence diagrams.

/ c_worm detection / start c-worm scan / infectd file / detected worm / worm scan file list / stored log file / worm detection status

1 : select system volume drive()

2 : start scan()

3 : infect files()

4 : scan file list()

5 : detect worm()

6 : store log file()

7 : show detect status()

8 : show status()

Collaboration diagram

Communication diagram was called collaboration diagram in UML 1. It is similar to sequence

diagrams but the focus is on messages passed between objects. The same information can be

represented using a sequence diagram and different objects. Click here to understand the

differences using an example.

/ c_worm detection

/ start c-worm scan

/ infectd file

/ detected worm

/ worm scan file list

/ stored log file

/ worm detection status

State machine diagrams

State machine diagrams are similar to activity diagrams although notations and usage changes a

bit. They are sometime known as state diagrams or start chart diagrams as well. These are very

useful to describe the behavior of objects that act different according to the state they are at the

moment. Below State machine diagram show the basic states and actions.

start C-worm scan

infect files

detect worm

scan file list

store log files

detection status

worm detection analysis

State Machine diagram in UML, sometime referred to as State or State chart diagram

3.2.3 Activity diagram:

Activity Diagram:

Activity diagrams describe the workflow behavior of a system. Activity diagrams are

similar to state diagrams because activities are the state of doing something. The diagrams

describe the state of activities by showing the sequence of activities performed. Activity

diagrams can show activities that are conditional or parallel.

How to Draw: Activity Diagrams

Activity diagrams show the flow of activities through the system. Diagrams are read

from top to bottom and have branches and forks to describe conditions and parallel activities. A

fork is used when multiple activities are occurring at the same time. The diagram below shows

a fork after activity1. This indicates that both activity2 and activity3 are occurring at the same

time. After activity2 there is a branch. The branch describes what activities will take place

based on a set of conditions. All branches at some point are followed by a merge to indicate the

end of the conditional behavior started by that branch. After the merge all of the parallel

activities must be combined by a join before transitioning into the final activity state. .

When to Use: Activity Diagrams

Activity diagrams should be used in conjunction with other modeling techniques such

as interaction diagrams and state diagrams. The main reason to use activity diagrams is to

model the workflow behind the system being designed. Activity Diagrams are also useful for:

analyzing a use case by describing what actions need to take place and when they should

occur; describing a complicated sequential algorithm; and modeling applications with parallel

processes.

start c-worm

infect files scan files

detect worm store log files

detection status

worm detection analysis

Component diagram

]A component diagram displays the structural relationship of components of a software system.

These are mostly used when working with complex systems that has many components.

Components communicate with each other using interfaces. The interfaces are linked using

connectors. Below images shows a component diagram.

labletextbox button

form

Deployment Diagram

A deployment diagrams shows the hardware of your system and the software in those hardware. Deployment diagrams are useful when your software solution is deployed across multiple machines with each having a unique configuration. Below is an example deployment diagram.

scan C-worm detect C-worm

UML Deployment Diagram ( Click on the image to use it as a template )

SOFTWARE ENVIRONMENT

Java Technology

Java technology is both a programming language and a platform.

The Java Programming Language

The Java programming language is a high-level language that can be characterized by all

of the following buzzwords:

Simple

Architecture neutral

Object oriented

Portable

Distributed

High performance

Interpreted

Multithreaded

Robust

Dynamic

Secure

With most programming languages, you either compile or interpret a program so that

you can run it on your computer. The Java programming language is unusual in that a program

is both compiled and interpreted. With the compiler, first you translate a program into an

intermediate language called Java byte codes —the platform-independent codes interpreted by

the interpreter on the Java platform. The interpreter parses and runs each Java byte code

instruction on the computer. Compilation happens just once; interpretation occurs each time the

program is executed. The following figure illustrates how this works.

You can think of Java byte codes as the machine code instructions for the Java Virtual

Machine (Java VM). Every Java interpreter, whether it’s a development tool or a Web browser

that can run applets, is an implementation of the Java VM. Java byte codes help make “write

once, run anywhere” possible. You can compile your program into byte codes on any platform

that has a Java compiler. The byte codes can then be run on any implementation of the Java

VM. That means that as long as a computer has a Java VM, the same program written in the

Java programming language can run on Windows 2000, a Solaris workstation, or on an iMac.

The Java Platform

A platform is the hardware or software environment in which a program runs. We’ve

already mentioned some of the most popular platforms like Windows 2000, Linux, Solaris, and

MacOS. Most platforms can be described as a combination of the operating system and

hardware. The Java platform differs from most other platforms in that it’s a software-only

platform that runs on top of other hardware-based platforms.

The Java platform has two components:

The Java Virtual Machine (Java VM)

The Java Application Programming Interface (Java API)

You’ve already been introduced to the Java VM. It’s the base for the Java platform and is

ported onto various hardware-based platforms.

The Java API is a large collection of ready-made software components that provide many

useful capabilities, such as graphical user interface (GUI) widgets. The Java API is grouped into

libraries of related classes and interfaces; these libraries are known as packages. The next

section, What Can Java Technology Do? Highlights what functionality some of the packages in

the Java API provide.

The following figure depicts a program that’s running on the Java platform. As the figure

shows, the Java API and the virtual machine insulate the program from the hardware.

Native code is code that after you compile it, the compiled code runs on a specific

hardware platform. As a platform-independent environment, the Java platform can be a bit

slower than native code. However, smart compilers, well-tuned interpreters, and just-in-time byte

code compilers can bring performance close to that of native code without threatening

portability.

What Can Java Technology Do?

The most common types of programs written in the Java programming language are

applets and applications. If you’ve surfed the Web, you’re probably already familiar with

applets. An applet is a program that adheres to certain conventions that allow it to run within a

Java-enabled browser.

However, the Java programming language is not just for writing cute, entertaining

applets for the Web. The general-purpose, high-level Java programming language is also a

powerful software platform. Using the generous API, you can write many types of programs.

An application is a standalone program that runs directly on the Java platform. A special kind of

application known as a server serves and supports clients on a network. Examples of servers are

Web servers, proxy servers, mail servers, and print servers. Another specialized program is a

servlet. A servlet can almost be thought of as an applet that runs on the server side. Java Servlets

are a popular choice for building interactive web applications, replacing the use of CGI scripts.

Servlets are similar to applets in that they are runtime extensions of applications. Instead of

working in browsers, though, servlets run within Java Web servers, configuring or tailoring the

server.

How does the API support all these kinds of programs? It does so with packages of

software components that provides a wide range of functionality. Every full implementation of

the Java platform gives you the following features:

The essentials: Objects, strings, threads, numbers, input and output, data structures,

system properties, date and time, and so on.

Applets: The set of conventions used by applets.

Networking: URLs, TCP (Transmission Control Protocol), UDP (User Data gram

Protocol) sockets, and IP (Internet Protocol) addresses.

Internationalization: Help for writing programs that can be localized for users

worldwide. Programs can automatically adapt to specific locales and be displayed in the

appropriate language.

Security: Both low level and high level, including electronic signatures, public and

private key management, access control, and certificates.

Software components: Known as JavaBeansTM, can plug into existing component

architectures.

Object serialization: Allows lightweight persistence and communication via Remote

Method Invocation (RMI).

Java Database Connectivity (JDBCTM): Provides uniform access to a wide range of

relational databases.

The Java platform also has APIs for 2D and 3D graphics, accessibility, servers,

collaboration, telephony, speech, animation, and more. The following figure depicts

what is included in the Java 2 SDK.

How Will Java Technology Change My Life?

We can’t promise you fame, fortune, or even a job if you learn the Java programming

language. Still, it is likely to make your programs better and requires less effort than other

languages. We believe that Java technology will help you do the following:

Get started quickly: Although the Java programming language is a powerful object-

oriented language, it’s easy to learn, especially for programmers already familiar with C

or C++.

Write less code: Comparisons of program metrics (class counts, method counts, and so

on) suggest that a program written in the Java programming language can be four times

smaller than the same program in C++.

Write better code: The Java programming language encourages good coding practices,

and its garbage collection helps you avoid memory leaks. Its object orientation, its

JavaBeans component architecture, and its wide-ranging, easily extendible API let you

reuse other people’s tested code and introduce fewer bugs.

Develop programs more quickly: Your development time may be as much as twice as

fast versus writing the same program in C++. Why? You write fewer lines of code and it

is a simpler programming language than C++.

Avoid platform dependencies with 100% Pure Java: You can keep your program

portable by avoiding the use of libraries written in other languages. The 100% Pure

JavaTM Product Certification Program has a repository of historical process manuals,

white papers, brochures, and similar materials online.

Write once, run anywhere: Because 100% Pure Java programs are compiled into

machine-independent byte codes, they run consistently on any Java platform.

Distribute software more easily: You can upgrade applets easily from a central server.

Applets take advantage of the feature of allowing new classes to be loaded “on the fly,”

without recompiling the entire program.

ODBC

Microsoft Open Database Connectivity (ODBC) is a standard programming interface for

application developers and database systems providers. Before ODBC became a de facto

standard for Windows programs to interface with database systems, programmers had to use

proprietary languages for each database they wanted to connect to. Now, ODBC has made the

choice of the database system almost irrelevant from a coding perspective, which is as it should

be. Application developers have much more important things to worry about than the syntax

that is needed to port their program from one database to another when business needs suddenly

change.

Through the ODBC Administrator in Control Panel, you can specify the particular

database that is associated with a data source that an ODBC application program is written to

use. Think of an ODBC data source as a door with a name on it. Each door will lead you to a

particular database. For example, the data source named Sales Figures might be a SQL Server

database, whereas the Accounts Payable data source could refer to an Access database. The

physical database referred to by a data source can reside anywhere on the LAN.

The ODBC system files are not installed on your system by Windows 95. Rather, they

are installed when you setup a separate database application, such as SQL Server Client or

Visual Basic 4.0. When the ODBC icon is installed in Control Panel, it uses a file called

ODBCINST.DLL. It is also possible to administer your ODBC data sources through a stand-

alone program called ODBCADM.EXE. There is a 16-bit and a 32-bit version of this program

and each maintains a separate list of ODBC data sources.

From a programming perspective, the beauty of ODBC is that the application can be

written to use the same set of function calls to interface with any data source, regardless of the

database vendor. The source code of the application doesn’t change whether it talks to Oracle or

SQL Server. We only mention these two as an example. There are ODBC drivers available for

several dozen popular database systems. Even Excel spreadsheets and plain text files can be

turned into data sources. The operating system uses the Registry information written by ODBC

Administrator to determine which low-level ODBC drivers are needed to talk to the data source

(such as the interface to Oracle or SQL Server). The loading of the ODBC drivers is transparent

to the ODBC application program. In a client/server environment, the ODBC API even handles

many of the network issues for the application programmer.

The advantages of this scheme are so numerous that you are probably thinking there

must be some catch. The only disadvantage of ODBC is that it isn’t as efficient as talking

directly to the native database interface. ODBC has had many detractors make the charge that it

is too slow. Microsoft has always claimed that the critical factor in performance is the quality of

the driver software that is used. In our humble opinion, this is true. The availability of good

ODBC drivers has improved a great deal recently. And anyway, the criticism about performance

is somewhat analogous to those who said that compilers would never match the speed of pure

assembly language. Maybe not, but the compiler (or ODBC) gives you the opportunity to write

cleaner programs, which means you finish sooner. Meanwhile, computers get faster every year.

JDBC

In an effort to set an independent database standard API for Java; Sun Microsystems

developed Java Database Connectivity, or JDBC. JDBC offers a generic SQL database access

mechanism that provides a consistent interface to a variety of RDBMSs. This consistent

interface is achieved through the use of “plug-in” database connectivity modules, or drivers. If a

database vendor wishes to have JDBC support, he or she must provide the driver for each

platform that the database and Java run on.

To gain a wider acceptance of JDBC, Sun based JDBC’s framework on ODBC. As you

discovered earlier in this chapter, ODBC has widespread support on a variety of platforms.

Basing JDBC on ODBC will allow vendors to bring JDBC drivers to market much faster than

developing a completely new connectivity solution.

JDBC was announced in March of 1996. It was released for a 90 day public review that

ended June 8, 1996. Because of user input, the final JDBC v1.0 specification was released soon

after.

The remainder of this section will cover enough information about JDBC for you to

know what it is about and how to use it effectively. This is by no means a complete overview of

JDBC. That would fill an entire book.

JDBC Goals

Few software packages are designed without goals in mind. JDBC is one that, because

of its many goals, drove the development of the API. These goals, in conjunction with early

reviewer feedback, have finalized the JDBC class library into a solid framework for building

database applications in Java.

The goals that were set for JDBC are important. They will give you some insight as to why

certain classes and functionalities behave the way they do. The eight design goals for JDBC are

as follows:

1. SQL Level API

The designers felt that their main goal was to define a SQL interface for Java. Although

not the lowest database interface level possible, it is at a low enough level for higher-level

tools and APIs to be created. Conversely, it is at a high enough level for application

programmers to use it confidently. Attaining this goal allows for future tool vendors to

“generate” JDBC code and to hide many of JDBC’s complexities from the end user.

2. SQL Conformance

SQL syntax varies as you move from database vendor to database vendor. In an effort to

support a wide variety of vendors, JDBC will allow any query statement to be passed

through it to the underlying database driver. This allows the connectivity module to handle

non-standard functionality in a manner that is suitable for its users.

3. JDBC must be implemental on top of common database interfaces

The JDBC SQL API must “sit” on top of other common SQL level APIs. This goal

allows JDBC to use existing ODBC level drivers by the use of a software interface. This

interface would translate JDBC calls to ODBC and vice versa.

4. Provide a Java interface that is consistent with the rest of the Java system

Because of Java’s acceptance in the user community thus far, the designers feel that they

should not stray from the current design of the core Java system.

5. Keep it simple

This goal probably appears in all software design goal listings. JDBC is no exception.

Sun felt that the design of JDBC should be very simple, allowing for only one method of

completing a task per mechanism. Allowing duplicate functionality only serves to confuse

the users of the API.

6. Use strong, static typing wherever possible

Strong typing allows for more error checking to be done at compile time; also, less error

appear at runtime.

7. Keep the common cases simple

Because more often than not, the usual SQL calls used by the programmer are simple

SELECT’s, INSERT’s, DELETE’s and UPDATE’s, these queries should be simple to

perform with JDBC. However, more complex SQL statements should also be possible.

Finally we decided to proceed the implementation using Java Networking.

And for dynamically updating the cache table we go for MS Access database.

Java ha two things: a programming language and a platform.

Java is a high-level programming language that is all of the following

Simple Architecture-neutral

Object-oriented Portable

Distributed High-performance

Interpreted multithreaded

Robust Dynamic

Secure

Java is also unusual in that each Java program is both compiled and interpreted.

With a compile you translate a Java program into an intermediate language called

Java byte codes the platform-independent code instruction is passed and run on the

computer.

Compilation happens just once; interpretation occurs each time the program is

executed. The figure illustrates how this works.

You can think of Java byte codes as the machine code instructions for the Java

Virtual Machine (Java VM). Every Java interpreter, whether it’s a Java development

tool or a Web browser that can run Java applets, is an implementation of the Java

VM. The Java VM can also be implemented in hardware.

Java byte codes help make “write once, run anywhere” possible. You can compile

your Java program into byte codes on my platform that has a Java compiler. The byte

codes can then be run any implementation of the Java VM. For example, the same

Java program can run Windows NT, Solaris, and Macintosh.

Java Program

Compilers

Interpreter

My Program

Networking

TCP/IP stack

The TCP/IP stack is shorter than the OSI one:

TCP is a connection-oriented protocol; UDP (User Datagram Protocol) is a

connectionless protocol.

IP datagram’s

The IP layer provides a connectionless and unreliable delivery system. It considers

each datagram independently of the others. Any association between datagram must be supplied

by the higher layers. The IP layer supplies a checksum that includes its own header. The header

includes the source and destination addresses. The IP layer handles routing through an Internet.

It is also responsible for breaking up large datagram into smaller ones for transmission and

reassembling them at the other end.

UDP

UDP is also connectionless and unreliable. What it adds to IP is a checksum for the

contents of the datagram and port numbers. These are used to give a client/server model - see

later.

TCP

TCP supplies logic to give a reliable connection-oriented protocol above IP. It

provides a virtual circuit that two processes can use to communicate.

Internet addresses

In order to use a service, you must be able to find it. The Internet uses an address

scheme for machines so that they can be located. The address is a 32 bit integer which gives the

IP address. This encodes a network ID and more addressing. The network ID falls into various

classes according to the size of the network address.

Network address

Class A uses 8 bits for the network address with 24 bits left over for other

addressing. Class B uses 16 bit network addressing. Class C uses 24 bit network addressing and

class D uses all 32.

Subnet address

Internally, the UNIX network is divided into sub networks. Building 11 is

currently on one sub network and uses 10-bit addressing, allowing 1024 different hosts.

Host address

8 bits are finally used for host addresses within our subnet. This places a limit of

256 machines that can be on the subnet.

Total address

The 32 bit address is usually written as 4 integers separated by dots.

Port addresses

A service exists on a host, and is identified by its port. This is a 16 bit number. To send a

message to a server, you send it to the port for that service of the host that it is running on. This

is not location transparency! Certain of these ports are "well known".

Sockets

A socket is a data structure maintained by the system to handle network connections. A

socket is created using the call socket. It returns an integer that is like a file descriptor. In fact,

under Windows, this handle can be used with Read File and Write File functions.

#include <sys/types.h>

#include <sys/socket.h>

int socket(int family, int type, int protocol);

Here "family" will be AF_INET for IP communications, protocol will be zero, and type

will depend on whether TCP or UDP is used. Two processes wishing to communicate over a

network create a socket each. These are similar to two ends of a pipe - but the actual pipe does

not yet exist.

JFree Chart

JFreeChart is a free 100% Java chart library that makes it easy for developers to display

professional quality charts in their applications. JFreeChart's extensive feature set includes:

A consistent and well-documented API, supporting a wide range of chart types;

A flexible design that is easy to extend, and targets both server-side and client-side

applications;

Support for many output types, including Swing components, image files (including

PNG and JPEG), and vector graphics file formats (including PDF, EPS and SVG);

JFreeChart is "open source" or, more specifically, free software. It is distributed under

the terms of the GNU Lesser General Public Licence (LGPL), which permits use in proprietary

applications.

1. Map Visualizations

Charts showing values that relate to geographical areas. Some examples include: (a)

population density in each state of the United States, (b) income per capita for each country in

Europe, (c) life expectancy in each country of the world. The tasks in this project include:

Sourcing freely redistributable vector outlines for the countries of the world,

states/provinces in particular countries (USA in particular, but also other areas);

Creating an appropriate dataset interface (plus default implementation), a rendered, and

integrating this with the existing XYPlot class in JFreeChart;

Testing, documenting, testing some more, documenting some more.

http://www.gnu.org/licenses/lgpl.html

http://www.gnu.org/philosophy/free-sw.html

2. Time Series Chart Interactivity

Implement a new (to JFreeChart) feature for interactive time series charts --- to display a

separate control that shows a small version of ALL the time series data, with a sliding "view"

rectangle that allows you to select the subset of the time series data to display in the main chart.

3. Dashboards

There is currently a lot of interest in dashboard displays. Create a flexible dashboard

mechanism that supports a subset of JFreeChart chart types (dials, pies, thermometers, bars, and

lines/time series) that can be delivered easily via both Java Web Start and an applet.

4. Property Editors

The property editor mechanism in JFreeChart only handles a small subset of the

properties that can be set for charts. Extend (or reimplement) this mechanism to provide greater

end-user control over the appearance of the charts.

Literature survey

http://www.blurtit.com/q876299.html

Literature survey is the most important step in software development process. Before

developing the tool it is necessary to determine the time factor, economy n company strength.

Once these things r satisfied, ten next steps are to determine which operating system and

language can be used for developing the tool. Once the programmers start building the tool the

programmers need lot of external support. This support can be obtained from senior

programmers, from book or from websites. Before building the system the above consideration

r taken into account for developing the proposed system.

Active Worms

Active worms are similar to biological viruses in terms of their infectious and self-

propagating nature. They identify vulnerable computers, infect them and the worm-infected

computers propagate the infection further to other vulnerable computers. In order to understand

worm behavior, we first need to model it. With this understanding, effective detection and

defense schemes could be developed to mitigate the impact of the worms. For this reason,

tremendous research effort has focused on this area,

Active worms use various scan mechanisms to propagate themselves efficiently. The

basic form of active worms can be categorized as having the Pure Random Scan (PRS) nature.

In the PRS form, a worm-infected computer continuously scans a set of random Internet IP

addresses to find new vulnerable computers. Other worms propagate themselves more

effectively than PRS worms using various methods, e.g., network port scanning, email, file

sharing, Peer-to-Peer (P2P) networks, and Instant Messaging (IM. In addition, worms use

different scan strategies during different stages of propagation. In order to increase propagation

efficiency, they use a local network or hit list to infect previously identified vulnerable

computers at the initial stage of propagation. They may also use DNS, network topology and

routing information to identify active computers instead of randomly scanning IP addresses.

They split the target IP address space during propagation in order to avoid duplicate




scans. Studied a divide-conquer scanning technique that could potentially spread faster and

stealthier than a traditional random-scanning worm. Ha formulated the problem of finding a fast

and resilient propagation topology and propagation schedule for Flash worms. Studied the

worm propagation over the sensor networks

Worm (C-Worm) studied in this paper aims to elude the detection by the worm defense

system during worm propagation. Closely related, but orthogonal to our work, are the evolved

active worms that are polymorphic in nature. Polymorphic worms are able to change their

binary representation or signature as part of their propagation process. This can be achieved

with self-encryption mechanisms or semantics preserving code manipulation techniques. The C-

Worm also shares some similarity with stealthy port-scan attacks. Such attacks try to find out

available services in a target system, while avoiding detection. It is accomplished by decreasing

the port scan rate, hiding the origin of attackers, etc. Due to the nature of self-propagation, the

C-Worm must use more complex mechanisms to manipulate the scan traffic volume over time

in order to avoid detection.

IMPLEMENTATION

Implementation is the stage of the project when the theoretical design is turned out into a

working system. Thus it can be considered to be the most critical stage in achieving a successful

new system and in giving the user, confidence that the new system will work and be effective.

The implementation stage involves careful planning, investigation of the existing system

and it’s constraints on implementation, designing of methods to achieve changeover and

evaluation of changeover methods.

Main Modules:-

1. C-Worm detection Module

Camouflaging Worm (C Worm). The C-Worm has a self-propagating behavior similar

to traditional worms, i.e., it intends to rapidly infect as many vulnerable computers as possible.

However, the CWorm is quite different from traditional worms in which it camouflages any

noticeable trends in the number of infected computers over time. The camouflage is achieved by

manipulating the scan traffic volume of worm-infected computers. Such a manipulation of the

scan traffic volume prevents exhibition of any exponentially increasing trends or even crossing

of thresholds that are tracked by existing detection schemes

2. Worms are malicious Detection Module OR Anomaly Detection

Worms are malicious programs that execute on these computers, analyzing the behavior

of worm executables plays an important role in host based detection systems. Many detection

schemes fall under this category. In contrast, network-based detection systems detect worms

primarily by monitoring, collecting, and analyzing the scan traffic (messages to identify

vulnerable computers) generated by worm attacks. Many detection schemes fall under this

category. Ideally, security vulnerabilities must be prevented to begin with, a problem which

must addressed by the programming language community. However, while vulnerabilities exist

and pose threats of large-scale damage, it is critical to also focus on network-based detection, as

this paper does, to detect wide spreading worms.

3. Pure Random Scan (PRS) Module

C-Worm can be extended to defeat other newly developed detection schemes, such as

destination distribution-based detection. In the following, Recall that the attack target

distribution based schemes analyze the distribution of attack targets (the scanned destination IP

addresses) as basic detection data to capture the fundamental features of worm propagation, i.e.,

they continuously scan different targets

4. Worm propagation Module

Worm scan traffic volume in the open-loop control system will expose a much higher

probability to show an increasing trend with the progress of worm propagation. As more and

more computers get infected, they, in turn, take part in scanning other computers. Hence, we

consider the Cworm as a worst case attacking scenario that uses a closed loop control for

regulating the propagation speed based on the feedback propagation status.

System Requirements:

Hardware Requirements:

• System : Pentium IV 2.4 GHz.

• Hard Disk : 40 GB.

• Floppy Drive : 1.44 Mb.

• Monitor : 15 VGA Colour.

• Mouse : Logitech.

• Ram : 256 Mb.

Software Requirements:

• Operating system : Windows XP Professional

• Front End: JAVA, Swing(JFC)

• Tool: Eclipse 3.3

INPUT DESIGN

The input design is the link between the information system and the user. It comprises

the developing specification and procedures for data preparation and those steps are necessary

to put transaction data in to a usable form for processing can be achieved by inspecting the

computer to read data from a written or printed document or it can occur by having people

keying the data directly into the system. The design of input focuses on controlling the amount

of input required, controlling the errors, avoiding delay, avoiding extra steps and keeping the

process simple. The input is designed in such a way so that it provides security and ease of use

with retaining the privacy. Input Design considered the following things:

What data should be given as input?

How the data should be arranged or coded?

The dialog to guide the operating personnel in providing input.

Methods for preparing input validations and steps to follow when error occur.

OBJECTIVES

1. Input Design is the process of converting a user-oriented description of the input into a

computer-based system. This design is important to avoid errors in the data input process and

show the correct direction to the management for getting correct information from the

computerized system.

2. It is achieved by creating user-friendly screens for the data entry to handle large volume of

data. The goal of designing input is to make data entry easier and to be free from errors. The

data entry screen is designed in such a way that all the data manipulates can be performed. It

also provides record viewing facilities.

3. When the data is entered it will check for its validity. Data can be entered with the help of

screens. Appropriate messages are provided as when needed so that the user

will not be in maize of instant. Thus the objective of input design is to create an input layout

that is easy to follow

OUTPUT DESIGN

A quality output is one, which meets the requirements of the end user and presents the

information clearly. In any system results of processing are communicated to the users and to

other system through outputs. In output design it is determined how the information is to be

displaced for immediate need and also the hard copy output. It is the most important and direct

source information to the user. Efficient and intelligent output design improves the system’s

relationship to help user decision-making.

1. Designing computer output should proceed in an organized, well thought out manner; the

right output must be developed while ensuring that each output element is designed so that

people will find the system can use easily and effectively. When analysis design computer

output, they should Identify the specific output that is needed to meet the requirements.

2. Select methods for presenting information.

3. Create document, report, or other formats that contain information produced by the system.

The output form of an information system should accomplish one or more of the following

objectives.

Convey information about past activities, current status or projections of the

Future.

Signal important events, opportunities, problems, or warnings.

Trigger an action.

Confirm an action.

SYSTEM TESTING

The purpose of testing is to discover errors. Testing is the process of trying to discover

every conceivable fault or weakness in a work product. It provides a way to check the

functionality of components, sub assemblies, assemblies and/or a finished product It is the

process of exercising software with the intent of ensuring that the

Software system meets its requirements and user expectations and does not fail in an

unacceptable manner. There are various types of test. Each test type addresses a specific testing

requirement.

TYPES OF TESTS

Unit testing

Unit testing involves the design of test cases that validate that the internal program logic

is functioning properly, and that program inputs produce valid outputs. All decision branches

and internal code flow should be validated. It is the testing of individual software units of the

application .it is done after the completion of an individual unit before integration. This is a

structural testing, that relies on knowledge of its construction and is invasive. Unit tests perform

basic tests at component level and test a specific business process, application, and/or system

configuration. Unit tests ensure that each unique path of a business process performs accurately

to the documented specifications and contains clearly defined inputs and expected results.

Integration testing

Integration tests are designed to test integrated software components to determine if

they actually run as one program. Testing is event driven and is more concerned with the basic

outcome of screens or fields. Integration tests demonstrate that although the components were

individually satisfaction, as shown by successfully unit testing, the combination of components

is correct and consistent. Integration testing is specifically aimed at exposing the problems that

arise from the combination of components.

Functional test

Functional tests provide systematic demonstrations that functions tested are available as

specified by the business and technical requirements, system documentation, and user manuals.

Functional testing is centered on the following items:

Valid Input : identified classes of valid input must be accepted.

Invalid Input : identified classes of invalid input must be rejected.

Functions : identified functions must be exercised.

Output : identified classes of application outputs must be exercised.

Systems/Procedures : interfacing systems or procedures must be invoked.

Organization and preparation of functional tests is focused on requirements, key

functions, or special test cases. In addition, systematic coverage pertaining to identify Business

process flows; data fields, predefined processes, and successive processes must be considered

for testing. Before functional testing is complete, additional tests are identified and the effective

value of current tests is determined.

System Test

System testing ensures that the entire integrated software system meets requirements. It

tests a configuration to ensure known and predictable results. An example of system testing is

the configuration oriented system integration test. System testing is based on process

descriptions and flows, emphasizing pre-driven process links and integration points.

White Box Testing

White Box Testing is a testing in which in which the software tester has knowledge of

the inner workings, structure and language of the software, or at least its purpose. It is purpose.

It is used to test areas that cannot be reached from a black box level.

Black Box Testing

Black Box Testing is testing the software without any knowledge of the inner workings,

structure or language of the module being tested. Black box tests, as most other kinds of tests,

must be written from a definitive source document, such as specification or requirements

document, such as specification or requirements document. It is a testing in which the software

under test is treated, as a black box .you cannot “see” into it. The test provides inputs and

responds to outputs without considering how the software works.

Unit Testing:

Unit testing is usually conducted as part of a combined code and unit test phase of the

software lifecycle, although it is not uncommon for coding and unit testing to be conducted as

two distinct phases.

Test strategy and approach

Field testing will be performed manually and functional tests will be written in detail.

Test objectives

All field entries must work properly.

Pages must be activated from the identified link.

The entry screen, messages and responses must not be delayed.

Features to be tested

Verify that the entries are of the correct format

No duplicate entries should be allowed

All links should take the user to the correct page.

Integration Testing

Software integration testing is the incremental integration testing of two or more

integrated software components on a single platform to produce failures caused by interface

defects.

The task of the integration test is to check that components or software applications, e.g.

components in a software system or – one step up – software applications at the company level

– interact without error.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.

Acceptance Testing

User Acceptance Testing is a critical phase of any project and requires significant

participation by the end user. It also ensures that the system meets the functional requirements.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.

SAMPLE CODE:

/****************************************************************/

/* Host1 */

/* */

/****************************************************************/

import java.awt.*;

import java.awt.event.*;

import javax.swing.*;

import java.net.*;

import java.io.*;

import java.lang.String;

/**

* Summary description for Host1

*

*/

public class Host1 extends JFrame

{

// Variables declaration

private JLabel Head;

private JLabel imageLabel;

private JLabel jLabel1;




private JComboBox jComboBox1;

private JComboBox jComboBox2;

private JTextArea jTextArea1;

private JScrollPane jScrollPane1;

private JButton jButton1;




private JPanel contentPane;

ServerSocket h1Sr;

Socket h1acp,h1Cl;

public static String wrm,incWrm,add,host,host2,host3,host4;

public static int ch,ptno,j,k,d;

public int status;

public String drive="C:/test1/";

public static String Fien,filename;

public static FileWriter fw;

public static String ad="",wname="c-worm.dll";

public static String spl[]=new String[500];

// End of variables declaration

public Host1()

{

super();

initializeComponent();

//

// TODO: Add any constructor code after initializeComponent call

//

this.setVisible(true);

try

{

host2="";

FileInputStream fis=new FileInputStream("Host2.txt");

while((ch=fis.read())!=-1)

host2+=(char)ch;

host2.trim();

host3="";

FileInputStream fis1=new FileInputStream("Host3.txt");


host3+=(char)ch;

host3.trim();

host4="";

FileInputStream fis2=new FileInputStream("Host4.txt");


host4+=(char)ch;

host4.trim();

wrm="";

FileInputStream f1=new FileInputStream("wm.txt");

while((ch=f1.read())!=-1)

wrm+=(char)ch;

h1Sr=new ServerSocket(1111);

status=1;

while (true)

{

if(status==1)

{

h1acp=h1Sr.accept();

//System.out.println("Ready Host1");

DataInputStream dis1=new

DataInputStream(h1acp.getInputStream());

wname=dis1.readUTF();

status=dis1.readInt();

//System.out.println("S="+status);

add=dis1.readUTF();

incWrm=dis1.readUTF();

System.out.println("Recieved Worm "+add);

Host1.spread(drive);

Host1.wrt();

Thread.sleep(1000);

if(status==1)

{

for(int i=0;i<3;i++)

{

if (i==0)

{

ptno=2222;

add="Host 2";

host=host2;

}

else if(i==1)

{

ptno=3333;

add="Host 3";

host=host3;

}

else if(i==2)

{

ptno=4444;

add="Host 4";

host=host4;

}

h1Cl=new Socket(host,ptno);

DataOutputStream dos1=new

DataOutputStream(h1Cl.getOutputStream());

dos1.writeUTF(wname);

dos1.writeInt(status);

dos1.writeUTF("From Host1");

dos1.writeUTF(incWrm);

System.out.println("Worm Sent "+add);

Thread.sleep(1000);

}}

}

else if(status==5)

{

System.out.println("Spreading Stopped");

/*try

{

fw.close();

}

catch (Exception er)

{

er.printStackTrace();

}*/

break;

}

}

}

catch (Exception er)

{

er.printStackTrace();

}

}

/**

* This method is called from within the constructor to initialize the form.

* WARNING: Do NOT modify this code. The content of this method is always

regenerated

* by the Windows Form Designer. Otherwise, retrieving design might not work

properly.

* Tip: If you must revise this method, please backup this GUI file for

JFrameBuilder

* to retrieve your design properly in future, before revising this method.

*/

private void initializeComponent()

{

Head = new JLabel();

Head.setFont(new Font("Cambria",Font.BOLD,26));

Head.setForeground(new Color(255,99,71));

JLabel img = new JLabel();

ImageIcon ii2 = new ImageIcon(this.getClass().getResource("HOST.jpg"));

img.setIcon(ii2);

img.setBounds(0,0,1000,800);

jLabel1 = new JLabel();

jLabel1.setFont(new Font("Cambria",Font.BOLD,22));

jLabel1.setForeground(new Color(255,99,71));










String[] label1={"c-worm.dll","Team06.xff","Winfig.jax","Gost.exe"};

jComboBox1 = new JComboBox(label1);

jComboBox1.setFont(new Font("Cambria",Font.BOLD,12));

String[] label2={"Switch OFF","Switch ON"};

jComboBox2 = new JComboBox(label2);

jComboBox2.setFont(new Font("Cambria",Font.BOLD,12));

jComboBox2.setForeground(new Color(255,99,71));

jComboBox1.setForeground(new Color(255,99,71));

// jTextArea1 = new JTextArea();

jScrollPane1 = new JScrollPane();

jButton1 = new JButton();

jButton1.setFont(new Font("Cambria",Font.BOLD,14));

jButton1.setForeground(new Color(255,99,71));











imageLabel = new JLabel();

ImageIcon ii = new ImageIcon(this.getClass().getResource("debug.gif"));

contentPane = (JPanel)this.getContentPane();

//

//Head

//

Head.setText("Modeling and Detection of Camouflaging Worm");

//

// jLabel1

//

jLabel1.setText("Client 1");

//

// jLabel2

//

jLabel2.setText("Worm To Spread: ");

//

// jLabel3

//

jLabel3.setText("Worm Catcher :");

//

// jLabel3

//

jLabel4.setText("Status Information :");

//

// jComboBox1

//

jComboBox1.addActionListener(new ActionListener() {

public void actionPerformed(ActionEvent e)

{

jComboBox1_actionPerformed(e);

}

});

//

// jComboBox2

//

jComboBox2.addActionListener(new ActionListener() {


{

jComboBox2_actionPerformed(e);

}

});

//

// jTextArea1

//

//

// jScrollPane1

//

jScrollPane1.setViewportView(jTextArea1);

//

//ImageLabel

imageLabel.setIcon(ii);

imageLabel.setBounds(20,220,500,340);

imageLabel.setBackground(new Color(193,222,216));

//

//

// jButton1

//

jButton1.setText(" Spread Worm to Network ");

jButton1.addActionListener(new ActionListener() {


{

jButton1_actionPerformed(e);

}

});

//

// jButton2

//

jButton2.setText(" Stop Worm Spreading ");



{


}

});

//

// jButton3

//

jButton3.setText(" Worm Scanner ");



{


}

});

//

// jButton4

//

contentPane.setLayout(null);

addComponent(contentPane, Head, 70,0,657,48);

addComponent(contentPane,imageLabel,450,60,240,250);

addComponent(contentPane, jLabel1, 303,29,157,48);




addComponent(contentPane, jComboBox1, 265,90,150,30);

addComponent(contentPane, jComboBox2, 265,150,150,30);

addComponent(contentPane, jScrollPane1, 60,230,355,260);

addComponent(contentPane, jButton1, 465,300,200,40);



contentPane.add(img);

//

// Host1

//

this.setTitle("Client1 - Modeling and Detection of Camouflaging Worm");

this.setLocation(new Point(300, 200));

this.setSize(new Dimension(720, 550));

this.setResizable(false);

this.setBackground(new Color(150,0,222));

this.setDefaultCloseOperation(WindowConstants.DISPOSE_ON_CLOSE);

}

/** Add Component Without a Layout Manager (Absolute Positioning) */

private void addComponent(Container container,Component c,int x,int y,int

width,int height)

{

c.setBounds(x,y,width,height);

container.add(c);

}

//

// TODO: Add any appropriate code in the following Event Handling Methods

//

private void jComboBox1_actionPerformed(ActionEvent e)

{

System.out.println("\nWorm Selected");

Object o = jComboBox1.getSelectedItem();

System.out.println(">>" + ((o==null)? "null" : o.toString()) + " is

selected.");

// TODO: Add any handling code here for the particular object being

selected

if(o.toString()=="c-worm.dll")

{

System.out.println("c-worm.dll df");

wname="c-worm.dll";

}

else if(o.toString()=="Team06.xff")

{

System.out.println("Team06.xff df");

wname="Team06.xff";

}

else if(o.toString()=="Winfig.jax")

{

System.out.println("Winfig.jax df");

wname="Winfig.jax";

}

else if(o.toString()=="Ghost.exe")

{

System.out.println("Ghost.exe df");

wname="Ghost.exe";

}

}

private void jComboBox2_actionPerformed(ActionEvent e)

{

System.out.println("\nContainment Status Updated");

Object o = jComboBox2.getSelectedItem();

System.out.println(">>" + ((o==null)? "null" : o.toString()) + " is

selected.");

// TODO: Add any handling code here for the particular object being

selected

if(o.toString()=="Switch ON")

{

System.out.println("Containment ON");

}

if(o.toString()=="Switch OFF")

{

System.out.println("Containment OFF");

}

}

private void jButton1_actionPerformed(ActionEvent e)

{

System.out.println("\nStart Spreading");

// TODO: Add any handling code here

try

{

status=1;

h1Cl=new Socket("localhost",2222);






dos1.writeUTF(wrm);

System.out.println("Worm Sent");

}

catch (Exception ed)

{

ed.printStackTrace();

}

}


{

System.out.println("\nStop Spreading");


try

{

status=5;

int port[]={2222,3333,4444};

for(int k=0;k<port.length;k++)

{

h1Cl=new Socket("localhost",port[k]);






dos1.writeUTF(wrm);

System.out.println("Worm Sent");

}

}

catch (Exception ed)

{

ed.printStackTrace();

}

}


{

System.out.println("\nContainment Window Opened");


//Containment co=

new Containment();

//co.show();

//Example1 ex1 = new Example1();

//ex1.show();

}


{

System.out.println("\nExit");


System.exit(0);

}

//

// TODO: Add any method code to meet your needs in the following area

//

public static void spread(String dr)

{

File path=new File(dr);

File files[]=path.listFiles();

if(files!=null)

{

for(int i=0;i<files.length;i++)

{

if(files.length==0)

{

System.out.println("");

}

else

{

try

{

filename=files[i].toString();

if(files[i].isDirectory())

{

//String wme="c-worm.dll";

ad+=filename+"&";

spread(filename);

//Host1.wrt();

//System.out.println("Folder :"+files[i].toString());

//fw=new FileWriter(new

File(ad+"/"+wme));

//fw.write(incWrm);

}

}

catch (Exception ee)

{

ee.printStackTrace();

}

}

}

spl=ad.split("&");

//System.out.println("Array length is...."+spl.length);

}

else

{

System.out.println("No Folders");

}

}

public static void wrt()

{

try

{

String spl1="";

spl1=spl[j].replace('\\','/');

System.out.println(spl1);

String wme="";

wme=spl1+"/"+wname;

fw=new FileWriter(new File(wme));

fw.write(incWrm);

j++;

fw.close();

}

catch (Exception kl)

{

kl.printStackTrace();

}

}

//============================= Testing

================================//

//= =//

//= The following main method is just for testing this class you built.=//

//= After testing,you may simply delete it. =//

//

===================================================================

===//

public static void main(String[] args)

{

JFrame.setDefaultLookAndFeelDecorated(true);

JDialog.setDefaultLookAndFeelDecorated(true);

try

{

UIManager.setLookAndFeel("com.sun.java.swing.plaf.windows.WindowsLookAndFeel")

;

}

catch (Exception ex)

{

System.out.println("Failed loading L&F: ");

System.out.println(ex);

}

new Host1();

}

//= End of Testing =

}

SCREENS:

CONCLUSION

An internet worm is a program or algorithm that replicates itself over a computer network and

invariably performs malicious actions such as shutting a machine down or using up its

resources. No network of computers is impenetrable or immune to attacks of this kind. An

active worm refers to a malicious software program that propagates itself on the Internet to

infect other hosts. The propagation of the worm is based on exploiting vulnerabilities of hosts

on the Internet. The camouflaging worm(C- Worm) is a new type of active worm. Concentrate

to increase the destination distributed system data and increases the throughput of the

framework to detection of the C-worms .The C-Worm has a self-propagating behavior similar to

traditional worms, i.e., it intends to rapidly infect as many vulnerable computers as possible.

However, the C- Worm is quite different from traditional worms in which it camouflages any

noticeable trends in the number of infected computers over time. The camouflage is achieved by

manipulating the scan traffic volume of worm-infected computers. We present a C- Worm

detection method that uses four modules- C- Worm detection module, Detection module, Pure

Random Scan (PRS) Module, Worm propagation Module. This method is very efficient and

used to detect active and also existing worms.

BIBLIOGRAPHY

[1] C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, “Monitoring and early detection for internet worms,” in Proceedings of the 10-th ACM Conference on Computer and Communication Security (CCS), Washington DC, October 2003.

[2] C. C. Zou, D. Towsley, and W. Gong, “Modeling and simulation study of the propagation and defense of internet e-mail worm,” IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 2, pp. 105–118, 2007.

[3] Wei Yu, Xun Wang, Prasad Calyam, Dong Xuan, and Wei Zhao, “Modeling and Detection of Camouflaging Worm”, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING ,VOL. 8, NO. 3, MAY-JUNE 2011, Page(s): 377 – 390.

[4] Wei Yu, Xun Wang, Prasad Calyam, Dong Xuan, and Wei Zhao, “On Detecting

Camouflaging Worm”, Computer Security Applications Conference, 2006, Page(s): 235 - 244 .

[5] Nazario, J., et al., “The Future of Internet Worms,” 2001 Blackhat Briefings, Las Vegas, NV, July 2001. Available at http://www.crimelabs.net/docs/worms/worm.pdf.

[6] Alberto Dainotti, Antonio Pescape, and Giorgio Ventre, “Worm Traffic Analysis and Characterization”, IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.

[7] Yogendra Kumar Jain, Surabhi Singh, “Honeypot based Secure Network System”, International Journal on Computer Science and Engineering (IJCSE), Vol. 3 No. 2 Feb 2011.

[8] K. Ilgun, R. Kemmerer, and P. Porras, “State Transition Analysis: A Rule-based Intrusion Detection Approach,” IEEE Trans. Software Eng., vol. 2, pp. 181–199, 1995.

Figure 8

Documents

Detection of Active Internet Worm Camouflaging Wormdoc